Basic setup is here
Code: Select all
/ipv6 settings set accept-redirects=no accept-router-advertisements=yes
/ipv6 dhcp-client add interface=pppoe-wan-eth1 pool-name=pd1 prefix-hint=::/56 rapid-commit=no request=prefix use-peer-dns=no
/ipv6 address add address=::1 from-pool=pd1 interface=v80
/ipv6 address add address=::1 from-pool=pd1 interface=v10
/ipv6 address add address=::1 from-pool=pd1 interface=v99
/ipv6 nd set [ find default=yes ] disabled=yes
/ipv6 nd add dns=2620:fe::fe interface=v10 ra-lifetime=2h
/ipv6 nd add interface=v99 ra-lifetime=2h
/ipv6 nd add dns=2620:fe::fe interface=v80 ra-lifetime=2h
/ipv6 nd add advertise-dns=no interface=pppoe-wan-eth1 ra-lifetime=none
Now to the problem itself... While most of the IPv6 enabled internet works OK, I stumbled on the problem with some of Microsoft services which were inaccessible when IPv6 was enabled. There can be more of them but my focus was on packages.microsoft.com, appsource.microsoft.com and entra.microsoft.com.
At first I made tests on ipv6-test.com, test-ipv6.com and on dedicated ICMP blackhole test page icmpcheckv6.popcount.org. All these returned OK results including "large packet send" test, so it did not seemed to be overall ICMP filtering problem. ICMP "packet too big" messages appeared on my firewall log as well.
Then I tried some tracepath testing (last one is one of test-ipv6.com nodes)
Initially all looked OK (even if somewhat patchy)
Code: Select all
$ tracepath -6 dns.quad9.net
1?: [LOCALHOST] 0.009ms pmtu 1500
1: 2001:xxxx:2300:b801::1 0.839ms
1: 2001:xxxx:2300:b801::1 0.778ms
2: 2001:xxxx:2300:b801::1 0.704ms pmtu 1492
2: 2001:xxxx:ffff:f232::232 1.319ms
3: 2001:xxxx:ffff:1070::205 1.906ms
4: 2001:7f8:50:1:0:2a:0:130 1.814ms
5: 2620:fe::fe 2.007ms !A
Resume: pmtu 1492
~$ tracepath -6 ipv6-test.com
1?: [LOCALHOST] 0.021ms pmtu 1500
1: 2001:xxxx:2300:b801::1 0.781ms
1: 2001:xxxx:2300:b801::1 0.721ms
2: 2001:xxxx:2300:b801::1 0.688ms pmtu 1492
2: 2001:xxxx:ffff:f232::232 1.130ms
3: 2001:xxxx:ffff:1070::205 1.876ms
4: ae9-720.RT.ELN.TLL.EE.retn.net 1.456ms asymm 5
5: RT.LIM.WAW.PL.retn.net 15.477ms asymm 6
6: waw-atm-pb1-nc5.pl.eu 15.881ms
7: 2001:41d0:aaaa:100::5 27.023ms asymm 10
8: 2001:41d0:aaaa:100::7 27.004ms asymm 10
9: no reply
10: no reply
11: fra1-lim1-g1-8k.de.eu 31.669ms asymm 9
12: 2001:41d0:0:50::5:f943 28.012ms asymm 10
13: 2001:41d0:0:50::5:39ad 32.193ms asymm 10
14: 2001:41d0:0:1:3::4899 31.252ms asymm 12
15: 2001:41d0:0:1:3::4593 31.317ms asymm 13
16: 2001:41d0:0:1:3::4688 34.953ms asymm 13
17: no reply
18: 2001:41d0:701:1100::29c8 28.209ms reached
Resume: pmtu 1492 hops 18 back 16
$ tracepath -6 2a01:7e01::f03c:91ff:fe16:a2e9
1?: [LOCALHOST] 0.036ms pmtu 1500
1: 2001:xxxx:2300:b801::1 0.835ms
1: 2001:xxxx:2300:b801::1 0.726ms
2: 2001:xxxx:2300:b801::1 0.679ms pmtu 1492
2: 2001:xxxx:ffff:f232::232 1.144ms
3: 2001:xxxx:ffff:1070::205 1.940ms
4: ae9-720.RT.ELN.TLL.EE.retn.net 1.281ms asymm 5
5: RT.EQX.FKT.DE.retn.net 33.136ms asymm 9
6: ipv6.de-cix.fra.de.as63949.linode.com 33.753ms
7: 2600:3c0f:10:32::1 32.735ms
8: 2600:3c0f:10:35::14 33.450ms
9: 2600:3c0f:10::416 31.986ms asymm 10
10: 2a01:7e01::f03c:91ff:fe16:a2e9 30.361ms reached
Resume: pmtu 1492 hops 10 back 11
Code: Select all
$ tracepath -6 packages.microsoft.com
1?: [LOCALHOST] 0.014ms pmtu 1500
1: 2001:xxxx:2300:b801::1 0.766ms
1: 2001:xxxx:2300:b801::1 0.735ms
2: 2001:xxxx:2300:b801::1 0.704ms pmtu 1492
2: 2001:xxxx:ffff:f232::232 1.186ms
3: no reply
4: netnod-ix-ge-a-sth-1500.microsoft.com 7.759ms
5: no reply
6: no reply
7: no reply
.
.
.
29: no reply
30: no reply
Too many hops: pmtu 1492
Resume: pmtu 1492
At first I tried this
Code: Select all
/ipv6 firewall mangle add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface-list=internet passthrough=yes protocol=tcp tcp-flags=syn
Code: Select all
/ipv6 firewall mangle add action=change-mss chain=postrouting new-mss=1340 out-interface-list=internet passthrough=yes protocol=tcp tcp-flags=syn
As I see it there's no overall blanket ICMP filtering from my ISP as dedicated tests would then fail and MSS would not be trimmed to 1255, but sites with problems have ICMP traffic borked which seems to be the cause of all these problems.
If I have any proper unterstanding of the situation then it looks like problem might be at ISP, at these sites or somewhere in between because ICMP traffic needed for PMTU discovery gets lost (on these sites/domains) while TCP traffic does not.
Any thoughts on this issue are welcome. To some extent it might even be good to be set on fixed MSS value as this eliminates hiccups and delays caused by PMTU, but for some sites/services it still is somewhat sub-optimal.
What do you think what shoud I try next?
P. S. I have put a message ahead to my ISP support. Maybe they even will be reading this thread eventually...